Skip to content

Commit

Permalink
gateways: fix and improve configurations from previous commits
Browse files Browse the repository at this point in the history
This patch addresses issues and refines changes made in earlier commits.
  • Loading branch information
PolynomialDivision committed Dec 19, 2024
1 parent e278976 commit beb51e0
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 93 deletions.
1 change: 1 addition & 0 deletions group_vars/role_gateway/imageprofile.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ role_uplink_gw__packages__to_merge:
- collectd-mod-snmp6
- olsrd
- olsrd-mod-arprefresh
- olsrd-mod-dyn-gw
- olsrd-mod-jsoninfo
- olsrd-mod-nameservice
- olsrd-mod-txtinfo
Expand Down
22 changes: 6 additions & 16 deletions roles/cfg_openwrt/templates/gateway/bird.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,14 @@ protocol kernel kernel_v6_main {
protocol kernel kernel_v4_main {
ipv4 {
table v4_main;
import none;
import filter {
if net != 0.0.0.0/0 then reject; # Import only Default Gateway from kernel
preference = 200; # Increase preference to beat babel route
accept;
};
export none;
};
learn all;
}

protocol kernel kernel_v4_babel_ff {
Expand Down Expand Up @@ -69,21 +74,6 @@ protocol pipe pipe_v4_main_to_babel_default {
import none;
}

##
## Uplink static IPv4 route
##
{% if uplink['ipv4'] | ansible.utils.ipaddr('prefix') >= 30 %}
{% set v4_nexthop = uplink['ipv4'] | ansible.utils.ipaddr('peer') %}
{% else %}
{% set v4_nexthop = uplink['ipv4'] | ansible.utils.ipaddr('1') | ansible.utils.ipaddr('address') %}
{%- endif %}

protocol static static_uplink {
ipv4 { table v4_main; };
check link;
route 0.0.0.0/0 via {{ v4_nexthop }} dev "{{ uplink['ifname'] }}";
}

##
## Babel Section
##
Expand Down
102 changes: 57 additions & 45 deletions roles/cfg_openwrt/templates/gateway/config/firewall.j2
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ config include
option path /etc/custom_fw_includes/table_prepend_redirect_samplicator
option position table-prepend

#
## Inbound to host
#

{% if 'ipv6' in uplink %}
config rule
option name "Allow BGP"
Expand Down Expand Up @@ -137,83 +141,91 @@ config rule
option family ipv6
option target ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src uplink
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

# Allow list via group_vars/role_gateway/general.yml
{% for rule in inbound_allow | default([]) %}
config rule
option name '{{ rule['name'] }}'
option src uplink
option dest freifunk
{% if 'dst' in rule %}
option dest_ip '{{ rule['dst'] }}'
{% endif %}
{% if 'src' in rule %}
option src_ip '{{ rule['src'] }}'
{% endif %}
{% if 'proto' in rule %}
option proto '{{ rule['proto'] }}'
{% endif %}
{% if 'src_port' in rule %}
option src_port '{{ rule['src_port'] }}'
{% endif %}
{% if 'dst_port' in rule %}
option dest_port '{{ rule['dst_port'] }}'
{% endif %}
option target ACCEPT
{% endfor %}
#
## Foward / Inbound to mesh
#

# Allow traffic from Internet to inbound_filtered networks unconditionally
config rule
option name 'Accept Traffic to inbound_filtered networks'
option src uplink
option dest freifunk
option ipset 'inbound_filtered_networks dest'
option ipset 'inbound_filtered_networks dest' # defined at EOF
option proto all
option target ACCEPT

# Dont track (Internet -> inbound_filtered_networks)
config rule
option name 'Dont track (Internet -> inbound_filtered_networks)'
option src uplink
option dest freifunk # see note below
option ipset 'inbound_filtered_networks dest'
option dest * # see note below
option ipset 'inbound_filtered_networks dest' # defined at EOF
option proto all
option target NOTRACK

# Dont track (Internet via GRE -> inbound_filtered_networks)
config rule
option name 'Dont track (Internet via GRE -> inbound_filtered_networks)'
option src freifunk
option dest freifunk # see note below
option ipset 'inbound_filtered_networks dest'
option dest * # see note below
option ipset 'inbound_filtered_networks dest' # defined at EOF
option proto all
option target NOTRACK

# Dont track (inbound_filtered_networks -> Internet + Internet via GRE)
config rule
option name 'Dont track (inbound_filtered_networks -> Internet + Internet via GRE)'
option src freifunk
option dest uplink # see note below
option dest * # see note below
option ipset 'inbound_filtered_networks src'
option proto all
option target NOTRACK

# Note: option dest actually has no impact in rendered nftables config by fw4, because
# NOTRACK needs to be set on prerouting, where the outbound interface is not determined,
# but is necessary in order to let fw4 know this is a forwarding rule.

# Allow list via group_vars/role_gateway/general.yml
{% for rule in inbound_allow | default([]) %}
config rule
option name '{{ rule['name'] }}'
option src uplink
option dest freifunk
{% if 'dst' in rule %}
option dest_ip '{{ rule['dst'] }}'
{% endif %}
{% if 'src' in rule %}
option src_ip '{{ rule['src'] }}'
{% endif %}
option proto '{{ rule.get('proto', 'all') }}'
{% if 'src_port' in rule %}
option src_port '{{ rule['src_port'] }}'
{% endif %}
{% if 'dst_port' in rule %}
option dest_port '{{ rule['dst_port'] }}'
{% endif %}
option target ACCEPT
{% endfor %}

# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src uplink
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

# ipset for stateful firewall bypass
config ipset
option name 'inbound_filtered_networks'
option match 'net'
Expand Down
18 changes: 2 additions & 16 deletions roles/cfg_openwrt/templates/gateway/config/network.j2
Original file line number Diff line number Diff line change
@@ -1,17 +1,3 @@
# IPv4 Soft Migration by priotizing Babel over OLSR
# Static default Route is set by bird
config rule
option priority 33100
option lookup 'babel-ff'

config rule
option priority 33101
option lookup 'olsr-ff'

config rule
option priority 33200
option lookup 'babel-default'

config interface 'loopback'
option device 'lo'
option proto 'static'
Expand All @@ -26,9 +12,9 @@ config interface 'uplink'
option proto 'static'
option ipaddr '{{ uplink['ipv4'] }}'
{% if uplink['ipv4'] | ansible.utils.ipaddr('prefix') >= 30 %}
# option gateway '{{ uplink['ipv4'] | ansible.utils.ipaddr('peer') }}'
option gateway '{{ uplink['ipv4'] | ansible.utils.ipaddr('peer') }}'
{% else %}
# option gateway '{{ uplink['ipv4'] | ansible.utils.ipaddr('1') | ansible.utils.ipaddr('address') }}'
option gateway '{{ uplink['ipv4'] | ansible.utils.ipaddr('1') | ansible.utils.ipaddr('address') }}'
{% endif %}
{% if 'ipv6' in uplink %}
option ip6addr '{{ uplink['ipv6'] }}'
Expand Down
27 changes: 11 additions & 16 deletions roles/cfg_openwrt/templates/gateway/config/olsrd.j2
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,15 @@ config LoadPlugin
option library 'olsrd_txtinfo'
option port '2006'

config LoadPlugin
option library 'olsrd_dyn_gw'
list Ping '46.182.19.48'
list Ping '80.67.169.40'
list Ping '194.150.168.168'
option ignore '0'
option PingCmd 'ping -c 1 -q -I {{ uplink['ifname'] }} %s'
option PingInterval '30'

config olsrd
option IpVersion '4'
option FIBMetric 'flat'
Expand All @@ -36,13 +45,6 @@ config olsrd
option OlsrPort '698'
option Willingness '3'
option TosValue '16'
option RtTable '20'
option RtTableDefault '21'
# set rule priorities to some random high numbers to make sure they are never used
# We define our own route policies in /etc/config/network
option RtTablePriority '34000'
option RtTableTunnelPriority '34020'
option RtTableDefaultPriority '34030'
{% if sgw is defined and sgw %}
option SmartGateway 'yes'
option SmartGatewayUplink 'both'
Expand All @@ -69,17 +71,10 @@ config Interface
option Mode '{{ 'ether' if interface.get('ptp') else 'mesh' }}'
option LinkQualityMult 'default 1.0'
{% endfor %}
{% endif %}

{% if mgmt is defined %}
{% if mgmt is defined %}
config Hna4
option netmask '{{ mgmt['ipv4'] | ansible.utils.ipaddr('netmask') }}'
option netaddr '{{ mgmt['ipv4'] | ansible.utils.ipaddr('network') }}'
{% endif %}
{% endif %}

# Announce default route, its anyways not used for forwarding within BBB
# We only need it to attract traffic from legacy mesh nodes, until babel
# takes over in our core network
config Hna4
option netmask '0.0.0.0'
option netaddr '0.0.0.0'

0 comments on commit beb51e0

Please sign in to comment.